* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Forensic Analysis of a SQL Server 2005 Database
Survey
Document related concepts
Tandem Computers wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Oracle Database wikipedia , lookup
Microsoft Access wikipedia , lookup
Serializability wikipedia , lookup
Ingres (database) wikipedia , lookup
Functional Database Model wikipedia , lookup
Concurrency control wikipedia , lookup
Team Foundation Server wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Database model wikipedia , lookup
Clusterpoint wikipedia , lookup
Relational model wikipedia , lookup
Transcript
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Forensic Analysis of a SQL Server 2005 Database Server AD Copyright SANS Institute Author Retains Full Rights fu ll r igh ts. GIAC Gold Template Forensic Analysis of a SQL Server 2005 Database Server ins GCFA Gold Certification eta Author: Kevvie Fowler, GCFA, CISSP, MCTS, MCSD, MCDBA, MCSE rr [email protected] ut ho Adviser: Joey Niem 07 ,A Accepted: April 1, 2007 © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 1 Author retains full rights. GIAC Gold Template Outline Investigation Introduction ................................................................................................................. 3 Step 1: Verification ........................................................................................................................... 3 fu ll r igh ts. Step 2: System Description............................................................................................................. 10 Step 3: Evidence Collection ............................................................................................................ 11 Step 4: Timeline Creation .............................................................................................................. 16 Step 5: Media Analysis.................................................................................................................... 18 ins Step 6: Data Recovery...................................................................................................................... 38 eta Step 7: String Search ...................................................................................................................... 43 rr Investigation Summary ................................................................................................................... 44 ho Appendix A ....................................................................................................................................... 46 ut Appendix B ....................................................................................................................................... 48 07 ,A References ........................................................................................................................................ 50 © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 2 Author retains full rights. GIAC Gold Template Investigation Introduction On March 1st, 2007, I received a call from a client who stated that they may have been a fu ll r igh ts. victim of a security incident sometime over the past 24 hours. They believed unauthorized modifications were made to their production database server which had resulted in erroneous product shipments and financial loss to the company. Due to the mission critical nature of the system, it could not be taken off-line unless significant evidence of system misuse could be eta ins identified. rr Step 1: Verification ut ho 4E46 07 ,A Upon arriving on scene, I was briefed on the situation and learned that the SQL Server 2005 database server contained a single user database which was the foundation of an online-sales 20 application. The client also FA27 informed me998D that they had received a call from a credit Key fingerprint = AF19 2F94 FDB5 DE3D F8B5 06E4 A169 4E46card company tu te regarding a suspicious transaction that was charged to a client card by their company. sti Because the server could not be taken off-line, a live analysis was performed. During a In live analysis volatile and non volatile data is viewed and acquired with the assistance of the live NS target operating system1. During a forensic investigation you should utilize binaries on the target © SA system as little as possible as they may be corrupt or tampered with thus skewing their output. The incident response CD-Rom used in this investigation contains traditional incident response tools in addition to SQL utilities and libraries which allow ad-hoc query submission to SQL Servers using minimal assistance from the un-trusted host. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 3 Author retains full rights. GIAC Gold Template To begin the incident verification, Windows Forensic Tool v1.0.03 will be used with a customized configuration file. This configuration file will execute Distributed Management Views (DMV), Database Consistency Checker (DBCC) commands and other vendor issued procedures to gather data which can be used to prove or disprove the occurrence of an intrusion. fu ll r igh ts. For more information on the customized Windows Forensic Tool Chest configuration file, refer to Appendix A of this document. At precisely 10:02 AM, server time, the client’s system logged into the PRODSQL05 ins SQL Server interactively under the user context Administrator. Upon logging into the system, it eta was observed that the system tray contained no third party application icons and the operating rr system appeared to be Windows 2003 Standard Edition. At 10:03 AM, server time, I assumed ho command of the console to begin the investigation. My Forensic Response CD was inserted 07 ,A ut into the computer and a trusted command shell was launched by issuing the “D:\FResponse\cmd.exe” command. Using the full file path in addition to the binary name te 20 ensures that the binary is loaded from the trusted CD. The un-trusted host may contain binaries Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 with matching names to the binaries contained on my response CD. If these binaries are present tu within a directory referenced in the path variable of the target host, the un-trusted binaries can be sti loaded in error. To eliminate the possibility of this occurring, the full file location in addition to NS In the binary name will be used during this investigation. SA The outputs from the tools run during this investigation, will be saved on the trusted © forensic workstation as opposed to the un-trusted target host. From the command shell, the “D:\FResponse\net use * \\192.168.1.174\$Acquisition” command was issued to map a drive from the target host to sterile storage media located on my forensic laptop which was connected to the network under IP Address 192.168.1.174. The “$Acquisition” share is hidden and password protected to help ensure the integrity A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 4 Author retains full rights. GIAC Gold Template of the data within. It was noted that the drive letter associated with the net use command was connected as “E:\” on the target host. The “D:\FResponse\wft.exe –dst E:\” command was issued to launch the customized Windows Forensic Toolchest v1.0.03 instance which gathered volatile database and operating system data from the target system and securely stored it on the fu ll r igh ts. forensic workstation. Once Windows Forensic Toolchest was finished executing, the results were analyzed and the following notable events were identified. ins SQL Server reserves Sessions #50 and lower for internal SQL Server processes, discounting these, eta it was identified that two sessions were currently active on the SQL Server. The first Session ID rr # 52 which belonged to the instance of WFT executing under the local Administrator context and ho the second was Session #51 belonging to an unknown user operating under the login 07 ,A ut EASYACCESS. This session had been established at 7:58 AM that morning. Because the login name was unconventional, it was flagged for client verification. SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SQL Server 2005 maintains a record of the last SQL statement executed by a given session. Viewing this history for the connected users led to the identification of a suspicious transaction. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 5 Author retains full rights. fu ll r igh ts. GIAC Gold Template The audit policy active on the target system was configured to log successful logins only, ins and not login failures. However, SQL Server maintains its own log that records database related eta service errors in addition to authentication data. The error log was stored within the “c:\Program rr Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG” directory of the target system. Review of ho the error log identified several hundred failed login attempts in succession against the sa account, ut followed by its successful login. This activity is normally attributed to evidence of a successful 07 ,A brute force attack against the database server. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 To further investigate the above findings, the configuration of the SQL Server needed to be obtained. SQLCMD, a Microsoft issued utility which allows the submission of ad-hoc SQL A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 6 Author retains full rights. GIAC Gold Template statements and scripts to a MS SQL Server will be used from the trusted incident response CD. The ad-hoc query capabilities of this tool will be used during the remainder of this investigation. The “D:\FResponse\Sqlcmd –S PRODSQL05 –e –s”,”” command was executed from the trusted command prompt which opened a connection to the SQL Server using the interactive user fu ll r igh ts. context. The “-e” switch forces SQLCMD to echo our input statements into the SQL result files and the “-s”,”” switch ensures the outputs are comma delimited which will allow the results to be imported into another application for deeper analysis. rr eta associated results securely to my forensics workstation. ins After logging in, an output file was established to log the SQL statements and their ut ho :out e:\initialconnection.txt 07 ,A A MD5 hash will be created on each output file to ensure data integrity. When a connection is 20 made to SQL Server the default database context configured under the user Login Properties will Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 be used. To ensure the database context was indeed set for the OnlineSales database the following sti tu te command was issued: Results: initialconnection.txt SA NS In use OnlineSales go © SQL Server 2005 can be configured to use either Windows Authentication, which allows the host operating system to authenticate users, or Mixed Mode authentication, which allows authentication to occur at either the Operating System or independently within SQL Server4. There are also various logging options within SQL Server to log successful and/or failed login attempts. To verify the active configuration settings of the subject server the following command was run: A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 7 Author retains full rights. GIAC Gold Template xp_loginconfig Results: xp_loginconfig--onlinesales.txt fu ll r igh ts. The following results were produced and show that the server is set for Mixed Mode ut ho rr eta ins authentication and is configured to log both successful and failed login attempts. 07 ,A Authorization within SQL Server 2005 is controlled by two gates. The first gate ensures that users are authenticated at the database instance and the second ensures that users have the 20 appropriate permissions to access the various and F8B5 database objects. During the Key fingerprint = AF19 FA27 2F94 998D databases FDB5 DE3D 06E4 A169 4E46 te verification step of this investigation we identified that the SQL server login EASYACCESS was tu logged into the server. However because the investigation is on the OnlineSales database the In sti database permissions will need to be checked to ensure that the EASYACCESS account has access to this specific database. The following query was run to gather a list of all database users SA NS within the OnlineSales database: © Select * from sys.database_principals where type = 'S' or type = 'U' order by create_date, modify_date Results: db_principals-onlinesales.txt This query produced the following results which show that the EASYACCESS user account does have access to the OnlineSales database: A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 8 Author retains full rights. fu ll r igh ts. GIAC Gold Template The Microsoft extended procedure “xp_cmdshell” allows users to execute dos commands within the underlying host operating system using their SQL client. This can allow an attacker who compromises the SQL Server to then launch attacks against the underlying host operating ins system. However, this procedure is disabled by default in SQL Server 2005. To verify its rr eta current state, the following command was executed: Results: sys.configurations.txt ut ho Select * from sys.configurations 07 ,A The results showed that this procedure was disabled therefore the assumption is made that In sti tu te 20 database users are unable to execute operating system level commands on the host. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 NS At approximately 10:45 AM, the initial findings were presented to the client who verified SA that the EASYACCESS account was an anomaly and not created for any legitimate business purpose. It was also disclosed that the Online Sales application was down for maintenance © therefore no one should have been logged on to the OnlineSalesdatabase or have executed the identified delete statement. At 11:01 AM the client authorized a full forensic investigation to be performed on the server to determine the scope and impact of the intrusion. At 11:05 AM The SQL Server was A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 9 Author retains full rights. GIAC Gold Template disconnected from the production network and plugged into a 4 port DLINK hub to isolate the fu ll r igh ts. server and prevent further modification by the unknown user. ins Step 2: System Description eta As previously stated in the verification section of this document, upon login to the target rr server the default Microsoft background was visible on the server console and there were no third ho party applications visible within the system tray. The following system profile was gathered ut from information provided by the client as well as investigator findings gathered during the 07 ,A verification step: Serial Number US822301223 System Operating System Microsoft Windows Server 2003 Service Pack 1 Database Version 9.00.1399.06 System Function tu te 20 PRODSQL05 sti Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 System Name In Function as a backend database to an online order processing system The system contained 3 peripheral network cards, one appeared to be a video card, and the remaining two appeared to be network cards, however, only a single network card was actually connected to the network. © SA NS Physical Description A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 10 Author retains full rights. GIAC Gold Template 07 ,A ut ho rr eta ins fu ll r igh ts. Asset Photographs: NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA Step 3: Evidence Collection As time elapses after a security incident, evidence can be overwritten by legitimate and/or malicious system activity. Databases can contain large data stores which result in a high data acquisition cost. To help ensure priority is given to the data sources most likely to contain relevant data to support the investigation, it’s my expert opinion that relevant data sources be A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 11 Author retains full rights. GIAC Gold Template assigned a significance and also a volatility value between 1 -5 with, 5 being of higher significance and/or volatility. The following values should be used in the following formula to determine priority [10 - (significance rating) + (volatility rating) = priority]. Using the above formula, the fu ll r igh ts. data stores relevant in this investigation were prioritized as follows: Importance Volatility Priority SQL Server Connections & Sessions 5 5 0 Transaction Log(s) 5 4 SQL Server Logs 4 3 SQL Server Database Files 3 2 System Event Logs 2 ins Item 3 5 6 rr eta 2 1 ho Now that data stores have been identified and prioritized, the actual data acquisition can 07 ,A SQL Server connection & session data ut take place. 20 information successfully via theF8B5 customized Windows KeyRelated fingerprint = AF19 was FA27 2F94 998Dcaptured FDB5 DE3D 06E4 A169 4E46 Forensic sti tu te Tool chest tool executed during the verification stage of this investigation. In Transaction Logs NS The SQL Server transaction log contains a record of all insert, update and delete SA statements made within the database. For performance reasons SQL Server does not immediately © write these events to the physical data files. Instead changes are written to the log file to buffer and later written to the data files. A single SQL Server database can utilize multiple database files and multiple transaction logs. The number of files and locations will need to be identified for the OnlineSales database. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 12 Author retains full rights. GIAC Gold Template Using the trusted SQLCMD session, the following SQL query is executed to gather the database file information: sp_helpdb OnlineSales fu ll r igh ts. Results: sp_helpdb-onlinesales.txt The below results were returned from the above SQL query and show that the OnlineSales database is currently using one physical data file ending with the “.mdf” extension ins and two transaction log files ending with the “.ldf” extension. These files are contained within ut ho rr filename … -------------------------------------------------------------------------------------------------------------------------------------------- ----------------C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\OnlineSales.mdf … C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\OnlineSales_log.ldf … C:\OtherLogs\OnlineSales_log2.ldf … 07 ,A name fileid ------------------------------- -----OnlineSales 1 2 OnlineSales_log 3 OnlineSales_log2 eta separate Windows file locations. tu te 20 The following SQL query was then executed to dump the contents of the OnlineSales log Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 file to the trusted forensic workstation: Results: dbcclog-onlinesales.txt In sti dbcc log(OnlineSales) NS Although a SQL Server database can use multiple physical transaction logs internally, SA SQL Server splits each physical log file into 4-16 Virtual Log Files (VLFs)5. Selected VLFs are © marked active at any given time and used to record transactions. SQL Server periodically completes a checkpoint process which flushes changes recorded in the log file to the physical disk file. Once this is complete, SQL Server marks the VLFs containing the fully committed transactions reusable and will overwrite them as required with new log records. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 13 Author retains full rights. GIAC Gold Template The following SQL Server command was run from within the OnlineSales context to view the logical allocation status of the physical transaction log: dbcc loginfo fu ll r igh ts. Results: dbccloginfo-onlinesales.txt The results of this command may be helpful later in the investigation when it will be determined if the physical transaction log file will be split into virtual log files to separate the active VLFs from the reusable VLFs which may contain historical data relevant in this ins investigation. In order to obtain a true bit-to-bit copy of the transaction log, the SQL Server eta service will need to be shutdown in order to release the locks held on the target files. At SQL rr Server shutdown and startup the database checkpoint process is automatically triggered5 which, ho as previously stated before will flush the non committed changes to disk and mark the records as 07 ,A ut reusable. The following command was executed to force the shutdown of SQL Server. Results: shutdown.txt tu te 20 Shutdown Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 sti After the SQL SERVER processes were shutdown, the physical log files were acquired In using the dcfldd disk imaging tool which also generated MD5 hashes for the acquired data. These NS hashes were compared to the hashes of the on disk files to ensure the data was not altered during © SA duplication. Database files A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 14 Author retains full rights. GIAC Gold Template Using the database file locations retrieved from the results of the “sp_helpdb OnlineSales” command executed earlier in the investigation, the OnlineSales database file was also fu ll r igh ts. acquired using the dcfldd tool. Default SQL Server Trace File The default configuration of SQL server runs a trace which captures limited activity within the database. This configuration is enabled by default, but can be disabled by a user with ins sufficient privileges. Using the SQL Server configuration gathered earlier in this investigation, the 07 ,A ut ho rr eta default trace was confirmed to be enabled. te 20 review of the FA27 SQL Server installation several trace files4E46 using the default KeyDuring fingerprint = AF19 2F94 998D FDB5directory DE3D F8B5 06E4 A169 Microsoft trace naming convention “log_##” were identified. These log files were acquired using In sti tu the dcfldd tool as they may contain information relevant in this investigation. NS SQL Server Error Logs SA In addition to the current error log used by SQL Server, historical log data is also © maintained. Each time the SQL Server service is restarted, a new error log is created and the existing log is backed up. SQL Server maintains the current error log in addition to 6 log backups. All 7 error logs were acquired using the dcfldd tool. Once all data had been acquired the SQL Server services were restarted. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 15 Author retains full rights. GIAC Gold Template Step 4: Timeline Creation Constructing an initial timeline will map out the notable digital events which have been identified fu ll r igh ts. thus far and establish an investigation scope which will be used during the Media Analysis phase. Review of the SQL Server error logs obtained during the Evidence Collection step show that the eta ins SQL Server instance was restarted on March 01, 2007. This will be the first entry in the timeline. As discovered during the verification step of rr this investigation on March 2nd, 2007 several hundred failed SQL Server login attempts were ut ho recorded within the error log between 7:01 AM to 7:39 AM from IP address 192.168.1.20. 07 ,A Following these failed login attempts were successful logins by the SA account at 7:54 AM and the EASYACCESS account at 8:09 AM from the same IP address. In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 NS These events will be added to the timeline in addition to the associated Server Process Identifier SA (SPID). A SPID is a unique number used by SQL Server to track a given session within the © database server2. The trace files obtained during the evidence collection phase of this investigation were imported into MS SQL Profiler on my forensic workstation for analysis. During review, the following notable events were identified: (1) Creation of EASYACCESS account (2) EASYACCESS account is granted access to OnlineSales database (3) EASYACCESS account is added to ONLINESALES db_owner role A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 16 Author retains full rights. GIAC Gold Template (4-6) Unknown transactions are executed by EASYACCESS account which required tempdb usage. Often DML operations require tempdb usage2 therefore it is likely that SPID 51 issued DML operations which required object or interim result fu ll r igh ts. storage. ins 1 eta 2 rr 4 5 ut ho 3 07 ,A 6 20 Keyonfingerprint AF19 FA27 FDB5 DE3Dthe F8B5 06E4 A169 4E46 Based the events=identified thus2F94 far in998D the investigation, following timeline was User March 1, 2007 Action N/A SQL Server instance is restarted SQL Server Brute Force attack launched against PRODSQL05 server SA SQL Server user account logs into PRODSQL05 server EASYACCESS account created EASYACCESS account granted access to OnlineSales database EASYACCESS account added to OnlineSales db_owner role EASYACCESS SQL Server account logs into 7:01 AM – 7:39 AM 7:54 AM UNKNOWN 51 © March 2, 2007 NS UNKNOWN SA 7:26 AM SPID In Time sti tu te constructed: SA 51 7:54 AM 7:55 AM SA SA 51 51 7:56 AM SA 51 8:09 AM EASYACCESS 51 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 17 Author retains full rights. GIAC Gold Template EASYACCESS 51 8:13 AM EASYACCESS 51 8:13 AM EASYACCESS 51 10:17 AM 11:05 AM 11:16 AM Administrator Administrator Administrator 52 N/A 52 PRODSQL05 server EASYACCESS account executes unknown transaction within ONLINESALES db EASYACCESS account executes unknown transaction within OnlineSales database EASYACCESS account executes unknown transaction within OnlineSales database Start of Forensic Investigation of database server PRODSQL05 server removed from network SQL Server instance shutdown fu ll r igh ts. 8:09 AM The application connected to SPID 51 was recorded by SQL Server as “OSQL-32”. ins Performing a Google™ search on this name identified the application as a legacy Microsoft eta command line query tool called OSQL. This will be noted as it may be relevant in the future if an 07 ,A ut ho rr investigation is performed on the unauthorized user’s computer. In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SA NS Step 5: Media Analysis © The timeline established in the previous step will now be used to set boundaries on the scope of media analysis. Using the timeline, the focus of the investigation will be on activities executed by SPID 51 between 7:54 AM March 1st, 2007 when the unauthorized access was gained to SQL Server and later in the day at 11:05 AM when the system was isolated from the production network. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 18 Author retains full rights. GIAC Gold Template Before looking at any of the raw SQL Data files, the data types in use within the OnlineSalesdatabase will need to be identified. Unicode is a standard method of mapping SQL Server byte representations (code points) to ASCII characters. The Unicode standard is inclusive fu ll r igh ts. of characters which map to all languages throughout the world. SQL Server uses various data types which store Unicode data, however there are some data types used by SQL Server (char(n), varchar(n) & text) which store non-Unicode values3. When non-Unicode values are stored within SQL Server, they are converted to a supported data type using the collation setting ins of the respective table column3. If this data is viewed by a computer using a code page which eta does not cover the range of characters used within the collation setting of the database, data loss rr can occur which can skew the results3. To determine if non-Unicode data was being used by the 07 ,A ut ho Order table and the collation setting in place, the following procedure was run: sp_tablecollations 'order' Results: sp_tablecollations-onlinesales.txt 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 te The results below show that both Unicode and non-Unicode data is stored within the Order tu table. The columns storing non-Unicode data are using the SQL_Latin1_General_CP1_CI_AS © SA NS In sti collation setting. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 19 Author retains full rights. ins fu ll r igh ts. GIAC Gold Template eta This collation setting was researched on SQL Server 2005 Books Online which showed rr that this collation maps to code page 12524. To verify the code page in use on my forensic ho workstation, the regional and language options application within control panel on my forensic 07 ,A ut workstation was viewed. This identified that the forensic workstation was using a compliant code page in order to correctly translate the code points used by SQL Server. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 20 Author retains full rights. GIAC Gold Template The transaction log acquired during the evidence collection phase was imported into Microsoft Excel using code page 1252. A SQL Server 2005 transaction log contains over 100 fu ll r igh ts. columns however only a few columns will contain relevant data based on the scope of this investigation. The following table outlines target columns and their function within this investigation. Description Operation The type of operation which was performed PageID The data page affected by the transaction SlotID The row within the data page affected by the transaction Offset in Row The first position within the data row affected by the transaction SPID The Server Process Identifier Begin Time Indicates the transaction start time (server time) Transaction Name Classification of the active transaction End Time Indicates the transaction end time (server time) 07 ,A ut ho rr eta ins Column RowLogContents0 The value which was updated by the transaction (Insert, Update statements) The value which was written to disk (Insert, Update statements) = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 te 20 RowLogContents1 Key fingerprint sti tu For a listing of all columns within the transaction log, please see Appendix B of this document. In The imported data set was filtered to display only records which were executed by SPID 51 and NS between the date/time ranges captured in the timeline. The first two transactions identified, were SA associated with the creation and permission augmentation of the EASYACCESS account which © was identified during the trace file review. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 21 Author retains full rights. ins fu ll r igh ts. GIAC Gold Template eta The third transaction executed by SPID 51 was an update statement. The transaction log details rr show that a database transaction ID 0000:0000032e which was an update statement affecting 3 07 ,A ut ho records within 3 separate data pages within the database. Marks the beginning of a transaction Unique transaction identifier Data Page identifier for row containing the updated record SA Type of transaction performed On data page row location of record In row data offset of modification © Marks the end of a transaction NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A SQL Server data page is an 8192 byte structure which stores database data5. A data page can contain multiple rows and each database contains multiple data pages. Data pages are organized into logical groups of 8 called extents6. Using the transaction log dump, the first update statement was analyzed, identifying a record on row 20 of Data Page 0001:000000d3. Both the A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 22 Author retains full rights. GIAC Gold Template Page ID and Transaction ID values are stored in hex and when converted to decimal produce the following values: Hex 0000:0000032e 0001:000000d3 Decimal 0:814 1:211 fu ll r igh ts. Identifier Transaction ID Data Page In order to view the raw data pages, the OnlineSales database was attached within SQL Server Management Studio (SSMS) version 9.00.1399.00 on my forensic workstation. Within rr eta to examine the raw data pages which have been modified. ins the newly added OnlineSales database, Microsoft-issued commands and procedures will be used ut ho The following command was issued from within the OnlineSales database context 07 ,A dbcc page (OnlineSales, 1, 211, 1) 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 The above command dumped data page 211 which contained the row which had been modified. © SA NS In sti tu te The header of the table was examined to identify the base table to which the data page belonged. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 23 Author retains full rights. rr eta ins fu ll r igh ts. GIAC Gold Template ho Objectid 629577281 was used as an argument in the following query which was run to resolve 07 ,A ut the name of the object. 20 Select from sysobjects where id = 629577281 Key*fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tu te This produced the following output which confirmed that the data page belonged to the Order SA NS In sti table. © The method used by SQL Server to store data depends on the data types in use, the size of each column and the order in which the columns were specified when the table was created. Before the raw data pages were examined, the table schema was first gathered by executing the following command: SELECT sc.colorder, sc.name, st.name as 'datatype', sc.length FROM syscolumns sc, A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 24 Author retains full rights. GIAC Gold Template systypes st WHERE sc.xusertype = st.xusertype and sc.id = 629577281 ORDER BY colorder 07 ,A ut ho rr eta ins fu ll r igh ts. The following output was produced which illustrates the schema of the Order table: 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Using slotID: 20 and rowoffset 80 which were obtained previously from the transaction log, the © SA NS In sti tu te specific point within the data row was identified in which the transaction began. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 25 Author retains full rights. ut ho rr eta ins fu ll r igh ts. GIAC Gold Template 07 ,A Using the table schema obtained earlier, the data type within this row offset is the Price column which contains a 30-byte nchar data type. From the transaction log, the hexadecimal value from te 20 the Key Rowlog0 and Rowlog1 were998D extracted and converted decimal representation. fingerprint = AF19columns FA27 2F94 FDB5 DE3D F8B5to06E4 A169 4E46 00 30 0 sti 35 5 00 30 0 00 2E . 00 30 0 00 30 0 00 30 0 00 20 SP 00 20 SP 00 20 SP NS In Hex ASCII tu RowLog0 2E . 00 35 5 © Hex ASCII SA RowLog1 Mapping the data page determined that the offset for the price column is 0x4f (79), as identified, the update statement began at offset 80. This was done so SQL Server did not have to overwrite a value in which it would need to rewrite as part of the transaction. Therefore the offset was augmented by SQL Server from 79 to 80 to compensate. Taking this into consideration, the A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 26 Author retains full rights. GIAC Gold Template statement executed under transaction 0000:0000032e (0:814) was to update the price column fu ll r igh ts. from “3500.00” to “3.50”: 07 ,A ut ho rr eta ins Start of trn. tu te 20 Key fingerprint = AF19 FA27 2F94 Start 998D of col. FDB5 DE3D F8B5 06E4 A169 4E46 In sti Using the same steps outlined above, the remaining 2 records updated during this transaction © SA NS were identified. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 27 Author retains full rights. 07 ,A ut ho rr eta ins fu ll r igh ts. GIAC Gold Template RowLog0 20 = AF19 FA27 2F94 F8B5 30 00 30 998D 00 FDB5 2E DE3D 00 30 06E4 00 A169 30 4E46 0 0 . 0 0 tu te HexKey fingerprint 35 00 ASCII 5 00 35 5 00 In 2E . 30 0 00 20 SP 00 20 SP 00 20 SP © SA NS Hex ASCII sti RowLog1 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 28 Author retains full rights. ho rr eta ins fu ll r igh ts. GIAC Gold Template 35 5 00 30 0 00 30 0 07 ,A Hex ASCII ut RowLog0 00 2E . 00 30 0 00 30 0 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 00 35 5 00 30 0 tu 2E . 00 20 SP 00 20 SP 00 20 SP In sti Hex ASCII te RowLog1 NS It is noted that all 3 records updated during this transaction were associated with the “Volcano 62 SA inch Plasma TV VC2332” product. © The fourth transaction executed by SPID 51 was another update statement. The transaction log details show that transaction ID: 0000:0000032f was an update statement affecting 2 records located on 2 separate data pages. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 29 Author retains full rights. fu ll r igh ts. GIAC Gold Template The same process used previously was followed to identify the affected records. The row offset and page ID values obtained from the transaction log were used to identify the specific value 07 ,A ut ho rr eta ins updated within the following records: SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © The data type within this offset of the row is the ShipStatusID which is a 4-byte integer value. RowLog0 Hex ASCII 00 00 01 01 00 00 00 00 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 30 Author retains full rights. GIAC Gold Template RowLog1 00 00 02 02 00 00 00 00 07 ,A ut ho rr eta ins fu ll r igh ts. Hex ASCII sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 RowLog1 Hex ASCII 00 00 00 00 00 00 00 00 00 00 NS 01 01 SA 00 00 © Hex ASCII In RowLog0 02 02 It is noted that after querying the ShipStatus table the ShipStatusID value of 1 indicates that an order has been shipped and a value of 2 indicates that the order has yet to be shipped. It is the investigator’s belief that the value was updated from 2 to 1 in an attempt to have the customer A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 31 Author retains full rights. GIAC Gold Template repeat shipment of the referenced product to the designated address. The fifth transaction executed by SPID 51 was an insert statement. The transaction log ins fu ll r igh ts. details show that a database transaction 0000:00000330 affected a single row. eta The same procedure used to map the previous update statements to a data pages was followed to 07 ,A ut ho rr identify the inserted record: © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Querying the remainder of the transactions showed that no future modifications were made to this slot within the data page 0000:00000330 therefore the data currently residing on the data page remains unchanged from its state as inserted during this transaction. The values contained within this record are as follows: A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 32 Author retains full rights. GIAC Gold Template CCType = Visa FirstName = Nino CCNumber = 5518530000000000 LastName = Black ShipStatusID = 2 Address = 72 Starfell Drive OrderDate = March 1, 2007 12:00AM City = SpringLake Product = XBOX 360 State = AZ Price = 4.00 fu ll r igh ts. OrderID = 417 ZIP = 14410 ins The price associated with this item seems inaccurate, and will be flagged for review by the client. eta It was also noted that the credit card number used in this insert statement was also associated ho rr with one of the records updated during transaction 815. 07 ,A ut The sixth transaction executed by SPID 51was transaction 0000:00000331 an update statement affecting 3 records. NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SA The same procedure used earlier to map the previous update statements to a data pages was © followed here and resolved to the Order table. Using the table schema obtained earlier, the data type within this row offset is the OrderDate column which contains an 8-byte datetime data type. The first record updated during this transaction was located on data page 211, slot 20 and the updated column began at offset 74. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 33 Author retains full rights. GIAC Gold Template 07 ,A ut ho Updated Value rr eta ins fu ll r igh ts. OrderDate Column The method in which computers store multiple-byte values vary, some use little-endian ordering 20 7 (LEO) others use big-endian (BEO) . With little-endian ordering, most Keyand fingerprint = AF19 FA27ordering 2F94 998D FDB5 DE3D F8B5 06E4 A169 the 4E46 te significant byte of the number is placed in the first storage byte; big-endian does the reverse and tu stores the least significant byte in the first storage byte. Microsoft operating systems use little- In sti endian ordering7, which is also true in the way SQL Server stores numeric values. NS From the transaction log the hexadecimal values from the Rowlog0 and Rowlog1 columns were RowLog0 Hex (BEO) Hex (LEO) Decimal © SA extracted, switched into LEO and converted to decimal representation. 0x0000000000BD9800 0x000000000098BD00 39101 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 34 Author retains full rights. GIAC Gold Template RowLog1 0x0000000000E49800 0x000000000098E400 39140 fu ll r igh ts. Hex (BEO) Hex (LEO) Decimal The datetime data type within SQL Server breaks an 8-byte date value into 2 fragments, the first being the number of days before or after January 1st, 1900 and the second being the number of clock computer ticks after midnight with a tick occurring every 3.33 milliseconds5. Applications ins using the datetime data type to store date values only, will have a default time value of eta 00:00:00:000 which represents midnight5. The decimal representation of the RowLog1 column is rr 39140 which when added in days to January 1st, 1900 gives us the date of March 01, 2007. The ut ho order date of this record was updated from January 21, 2007 to March 01, 2007. 07 ,A This procedure was used to identify the remaining two values which were updated within © SA NS In sti tu te 20 transaction 0000:00000331. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 35 Author retains full rights. GIAC Gold Template 07 ,A ut ho Updated Value rr eta ins fu ll r igh ts. OrderDate Column tu te 0x0000000000BD9800 0x000000000098BD00 39101 sti Hex (BEO) Hex (LEO) Decimal 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 RowLog0 (on disk value prior to transaction) In RowLog1 (committed transaction value) SA NS 0x0000000000E49800 0x000000000098E400 39140 © Hex (BEO) Hex (LEO) Decimal A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 36 Author retains full rights. GIAC Gold Template ho rr eta ins fu ll r igh ts. OrderDate Column 07 ,A ut Updated Value tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 In 0x0000000000CE9800 0x000000000098CE00 39118 SA NS Hex (BEO) Hex (LEO) Decimal sti RowLog0 (on disk value prior to transaction) RowLog1 (committed transaction value) 0x0000000000E49800 0x000000000098E400 39140 © Hex (BEO) Hex (LEO) Decimal The seventh transaction executed by SPID 51 was transaction 0000:00000332, a delete statement A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 37 Author retains full rights. GIAC Gold Template fu ll r igh ts. affecting a single record. eta ins This record will be further examined during the data recovery stage of this investigation. ho rr Step 6: Data Recovery ut The seventh transaction executed by SPID 51was transaction 0000:00000332, a delete 07 ,A statement affecting a single record. When a record is deleted within SQL Server, it is marked as a ghost5, which tells the database engine to hide it from future query results even though the 20 Key fingerprint AF19 within FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169runs 4E46periodically underlying data still =resides the data page. A garbage clean-up process te within SQL Server to physically remove the ghost records within the data pages so the space can sti tu be reused. Ghost records contained within a data page are flagged within the page header. In Examining the header of the page 0001:0000000158 (1:344) containing the deleted row showed NS that the m_ghostRecCnt value was set at 0 indicating that the ghost records had already been © SA physically removed from the data page. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 38 Author retains full rights. fu ll r igh ts. GIAC Gold Template Using the same procedure used earlier in this document to map a data page to the owning ins table identified that the data page associated in this transaction mapped to the OrderHistory eta table. This table had an identical schema to that of the Order table. Within the transaction log, ho rr the following value was obtained from the RowLog0 column of the delete statement: 07 ,A ut “0x30006C009F0000005000610079006500740074006500200020002000200020002000 200020002000200020002000200046004C003100360036003000320001000000000000003A980 20 00033003500300030002E0030003000200020002000200020002000200020000E0000C0060082 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 te 00860098009C00AD00CD004275727443617665323237205374617267656C6C2044726976655 tu 66973613635393033343030333433323233323030566F6C63616E6F20363220696E636820506 In sti C61736D6120545620564332333332” NS The data above is the actual data row deleted from the data page during the transaction. SA To determine exactly what customer data had been deleted, it was necessary to reconstruct the © data row. SQL Server uses two different data row structures, one for rows which contain fixed length columns only, and another for rows containing variable length columns and/or fixed length columns. Based on the schema obtained earlier in this investigation we know that the Order table contains both fixed and variable length data types. The data row structure for a variable length row is as follows: A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 39 Author retains full rights. GIAC Gold Template 1 2 3 Fixed length columns 4 5 6 7 Variable length columns Source: Inside SQL Server 2005 The Storage Engine5 Legend Item 1 Storage Allocation 1 byte 2 1 byte 3 2 bytes Fixed length columns 4 Fixed column length for all fixed columns 2 bytes Location of in row fixed length data columns 5 1 bit for each row column 6 2 bytes 7 2 bytes for each variable length column Variable length columns Used length of all variable length columns Null Bitmap Number of variable length columns within 5 data row Row offset marking the end of each variable 5 length column Location of in row variable length data 5 columns fu ll r igh ts. Description 5 StatusBits A contains data row properties 5 Unused in SQL Server 2005 Row offset to in row location containing the 5 number of columns in the data row ins Total number of columns in data row 5 5 07 ,A ut ho rr eta 5 © SA NS In sti tu te 20 the above row FA27 structure, the FDB5 data obtained from the RowLog0 column of the KeyUsing fingerprint = AF19 2F94and 998D DE3D F8B5 06E4 A169 4E46 transaction log, the data row was reconstructed. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 40 Author retains full rights. GIAC Gold Template Unused OrderID col. City col. StatusBits A fu ll r igh ts. Pos. to find # of cols. 0x30006C009 F0 000005 000610 079006 500 740074006 500200 020002 000200 020002000 200020 002000 200020002000200046004C0031003600360030003200 State col. ZIP col. ShipStatusID col. eta ins City col. contd. OrderDate col. rr Price col. ho 010000000 000000 03 A980000 33003500300030002E003000300020002000200020 # of cols. FDB5 DE3D F8B5 06E4 A169 4E46 tu LastName col. Address col. CCType col. sti FirstName col. Positions where var cols. 1-6 end te Key fingerprint = AF19 FA27 Null bitmap # of variable cols.998D 2F94 20 Price col. contd. 07 ,A ut 002000200 020002 0000E0000C006008200860098009C00A D00CD In 004275727 443617 665323 237205374617267656C6C20447269766556697361 NS 363539303 334303 033343 332323 332303 05 66 F6C6 3616E6F203 632206 96E636820 CCNumber col. Product col. © SA 506C617 36 D612054 562056 4332333332 Switching the appropriate hex values into LEO, and converting the values to decimal/ASCII representation produced the following. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 41 Author retains full rights. GIAC Gold Template OrderID: 159 FirstName: Burt LastName: Cave Address: 227 Stargell Drive fu ll r igh ts. City: Payette State: FL ZIP: 16602 CCType: Visa ins CCNumber: 65903400343223200 eta ShipStatusID: 1 07 ,A ut Price: 3500.00 ho Product: Volcano 62 inch Plasma TV VC2332 rr OrderDate: September 11th, 2006 20 NowKey thatfingerprint all of the executed transactions have FDB5 been identified, the timeline was4E46 updated to reflect = AF19 FA27 2F94 998D DE3D F8B5 06E4 A169 User SPID Action N/A SQL Server instance is restarted UNKNOWN 51 SA 51 7:54 AM 7:55 AM SA SA 51 51 7:56 AM SA 51 8:09 AM EASYACCESS 51 SQL Server Brute Force attack launched against PRODSQL05 server from IP 192.168.1.20 SA SQL Server user account logs into PRODSQL05 server from IP address 192.168.1.20 using OSQL.exe EASYACCESS account is created EASYACCESS account is granted access to OnlineSales database EASYACCESS account added to OnlineSales db_owner role SQL Server account logs into PRODSQL05 server sti Time tu te the notable discoveries. UNKNOWN NS 7:26 AM In March 1, 2007 © 7:01 AM – 7:39 AM 7:54 AM SA March 2, 2007 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 42 Author retains full rights. GIAC Gold Template 51 8:31 AM EASYACCESS 51 8:37 AM EASYACCESS 51 8:38 AM EASYACCESS 51 10:17 AM 11:05 AM 11:16 AM Administrator Administrator Administrator 52 N/A 52 fu ll r igh ts. EASYACCESS ins 8:20 AM from IP address 192.168.1.20 Transaction 814 is executed which updates the price of 3 Volcano Plasma TV orders from $3500.00 to $3.50 Transaction 815 is executed which updates the shippingstatusID column on Volcano Plasma TV orders from 1 (product shipped) to 2 (product not shipped) Transaction 816 is executed which inserts an order for an XBOX 360 billed to the credit card of another database customer. Transaction 817 is executed which sets the orderdate on Plasma TV orders to February 28, 2007 Transaction 818 is executed which deletes a previous order from the OrderHistory table for a Volcano Plasma TV at a price of $3500.00 Start of Forensic Investigation of database server PRODSQL05 server removed from network SQL Server instance shutdown eta 51 rr EASYACCESS ut ho 8:17 AM 07 ,A Step 7: String Search 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 As stated previously in this report, a single physical transaction log file is logically partitioned tu te and split into 4-16 Virtual Log Files (VLFs) by SQL Server. Only a subset of these VLFs will be sti active at any one point. It is possible that the inactive VLFs at one point in time were active and In may contain past transaction data which is relevant within this investigation. Review of the NS active transaction log file used throughout this investigation identified that the earliest log entry SA was 7:26 AM March 1st, 2007 and the latest was 11:16 AM March 2nd, 2007. This date range is © inclusive of the scope of the investigation therefore further review of VLFs is not required. The published Microsoft tools which interpret transaction logs support only active VLFs. Further investigation into transactions which occurred outside of the scope of this investigation will require sting searches to be performed on the inactive areas of the transaction log to identify rows for reconstruction. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 43 Author retains full rights. GIAC Gold Template fu ll r igh ts. Investigation Summary In conclusion, after gathering and analyzing all evidence, it is in the investigator’s expert ins opinion that on the Morning of March 1st, 2007, an unauthorized user connecting from IP 192.168.1.20 executed a successful brute force attack against the PRODSQL05 server. Once eta access was gained to the database, a connection was made using the Microsoft OSQL client to rr create a backdoor account named EASYACCESS. This account was used by the user to ho fraudulently insert an erroneous product order for an XBOX 360 with the incorrect price of 07 ,A ut $4.00. This order was billed to Visa card number 5518530000000000 which belongs to another customer within the database. It is noted that the mailing addresses used within the fraudulent te 20 order differs from the address of the compromised user and may the unauthorized user. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5belong 06E4 to A169 4E46 tu In addition to inserting a fraudulent order, the unauthorized user performed the following sti updates to existing Volcano 62 inch Plasma TV VC2332 orders within the Order table. Order dates were set to February 28th, 2007 Prices were updated from $3500.00 to $3.50 The shippingstatusID column was updated from 2 to 1 © SA NS In A single record was also deleted from the Order table for a past Volcano 62 inch Plasma TV VC2332 by the user. A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 44 Author retains full rights. GIAC Gold Template The unauthorized user is believed to have had a general understanding of Transact-SQL (TSQL) syntax in order to have been capable of executing the database transactions via the OSQL 07 ,A ut ho rr eta ins fu ll r igh ts. command line interface and moderate knowledge of the OnlineSales database schema. © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 45 Author retains full rights. GIAC Gold Template Appendix A The following was text was added to WFT configuration file fu ll r igh ts. ################ # SQL SERVER # ################ NA NA V SQLCMD.RLL NA SQL SERVER NA ins NA 341369b133a26556d963427384ca89ba rr Required by sqlcmd.exe NA NA %s -E -Q "sp_helpdb" > ut DB LISTING SP_HELPDB SQL SERVER 07 ,A EH sp_helpdb ho EVH SQLCMD.exe 28731c04b854cc1570dbdacc89a6c3f2 %s%s%s NA eta M SQLCMD.exe 28731c04b854cc1570dbdacc89a6c3f2 %s -E -Q "select c.session_id, 20 c.connect_time, c.net_transport, c.client_net_address, c.local_tcp_port, Key fingerprint = AF19 FA27c.last_read, 2F94 998Dc.last_write, FDB5 DE3D F8B5 06E4 A169 4E46 te s.text from sys.dm_exec_connections c cross apply sys.dm_exec_sql_text tu (c.most_recent_sql_handle) s" > %s%s%s dm_exec_connections SQLCMD.exe 28731c04b854cc1570dbdacc89a6c3f2 NS EH DM_EXEC_CONNECTIONS In sti DM_EXEC_CONNECTIONS SA sys.dm_exec_sessions" > %s%s%s dm_exec_sessions EH %s -E -Q "select * from DM_EXEC_SESSIONS SQL SERVER © DM_EXEC_SESSIONS SQL SERVER SQLCMD.exe 28731c04b854cc1570dbdacc89a6c3f2 %s -E -Q "select name, type_desc, create_date, modify_date from sys.sql_logins order by create_date, modify_date" > %s%s%s sql_logins SQL_LOGINS SQL_LOGINS SQL SERVER EH SQLCMD.exe 28731c04b854cc1570dbdacc89a6c3f2 %s -E -Q "select * from A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 46 Author retains full rights. GIAC Gold Template sys.dm_exec_requests " > %s%s%s dm_exec_requests SQL SERVER 07 ,A ut ho rr eta ins fu ll r igh ts. DM_EXEC_REQUESTS DM_EXEC_REQUESTS © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 47 Author retains full rights. GIAC Gold Template Appendix B Transaction Log Column listing: CurrentLSN 24 CHKPT End DB Version 2 Operation 25 Minimum LSN 3 Context 26 Dirty Pages 4 Transaction ID 5 Tag Bits 6 46 PrepLogBegin LSN PrepareTime 48 Virtual Clock Oldest Replicated Begin 49 Previous Savepoint 27 LSN 50 Savepoint Name Log Record Fixed Length 28 Next Replicated End LSN 51 Rowbits First Bit 7 Log Record Length 29 Last Distributed End LSN 52 Rowbits Bit Count 8 PreviousLSN 30 Server UID rr 53 Rowbits Bit Value 9 Flag Bits 31 UID 54 Number of Locks AllocUnitID 32 SPID 55 Lock Information AllocUnitName 33 BeginLogStatus 56 LSN Before Writes eta ho 07 ,A 11 ins 47 ut fu ll r igh ts. 1 20 fingerprint = AF19 FA27 2F94 4E46 57A169 Pages Written 34 998D BeginFDB5 Time DE3D F8B5 06E4 12 Key Page ID Transaction Name 58 Data Pages Delta 36 Transaction SID 59 Reserved Pages Delta 37 End Time 60 Used Pages Delta 38 Transaction Begin 61 Data Rows Delta 39 Replicated Records 62 Command Type Offset in Row 40 Oldest Active LSN 63 Publication ID 19 Checkpoint Begin 41 Server Name 64 Article ID 20 CHKPT Begin DB Version 42 Database Name 65 Partial Status 21 MaxXDESID 43 Mark Name 66 Command 22 Num Transactions 44 Master XDESID 67 Byte Offset 23 Checkpoint End 45 Master DBID 68 New Value Previous Page LSN 15 PartionID 16 RowFlags 17 Num Elements 18 tu 14 © SA NS In sti Slot ID te 35 13 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 48 Author retains full rights. GIAC Gold Template 69 Old Value 71 Rows Deleted 73 CI Table ID 70 New Split Page 72 Bytes Freed 74 CI Index ID 75 NewAllocationUnitID 85 Column Offset 76 FIlegroupID 86 Flags 95 Page ID 77 Meta Status 87 Text Size 96 Bulk allocated extent ids 78 File Status 88 Offset 97 RowLog Contents 0 79 File ID 89 Old Size 98 RowLog Contents 1 80 Physical Name 90 New Size 99 RowLog Contents 2 81 Logical Name 91 Description 82 Format LSN 92 Bulk allocated extent count 101 RowLog Contents 4 83 RowsetID 93 Bulk rowinsertID 84 TextPtr 94 Bulk allocationunitID 100 RowLog Contents 3 07 ,A ut ho rr eta ins fu ll r igh ts. Bulk allocation first IAM © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 49 Author retains full rights. GIAC Gold Template References 1 Keith J. Jones, Richard Bejtlich, Curtis W. Rose. Real Digital Forensics, Addison- fu ll r igh ts. Wesley, 2006 “MSDN Blog Pages” http://blogs.msdn.com/sqlserverstorageengine/default.aspx 3 Microsoft Developer Network “MSDN” http://msdn2.microsoft.com/en-us/default.aspx 4 SQL Server 2005 Books Online, http://msdn2.microsoft.com/en- eta ins 2 ho rr us/library/ms130214.aspx Kalen Delaney. Inside SQL Server 2005 The Storage Engine, Microsoft Press, 2007 6 Kalen Delaney and Jim Gray. Inside SQL Server 2000. Microsoft Press, 2001 07 ,A ut 5 © SA NS In sti tu te 20 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 7 Brian Carrier. File System Forensic Analysis. Addison-Wesley, 2005 A Real World Scenario of a SQL Server 2005 Database Forensics Investigation © SANS Institute 2007, As part of the Information Security Reading Room 50 Author retains full rights. Last Updated: April 30th, 2017 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Riyadh 2017 Riyadh, SA May 06, 2017 - May 11, 2017 Live Event SANS Security West 2017 San Diego, CAUS May 09, 2017 - May 18, 2017 Live Event SANS Zurich 2017 Zurich, CH May 15, 2017 - May 20, 2017 Live Event SANS Northern Virginia - Reston 2017 Reston, VAUS May 21, 2017 - May 26, 2017 Live Event SEC545: Cloud Security Architecture and Ops Atlanta, GAUS May 22, 2017 - May 26, 2017 Live Event SANS Melbourne 2017 Melbourne, AU May 22, 2017 - May 27, 2017 Live Event SANS London May 2017 London, GB May 22, 2017 - May 27, 2017 Live Event SANS Stockholm 2017 Stockholm, SE May 29, 2017 - Jun 03, 2017 Live Event SANS Madrid 2017 Madrid, ES May 29, 2017 - Jun 03, 2017 Live Event SANS Atlanta 2017 Atlanta, GAUS May 30, 2017 - Jun 04, 2017 Live Event Security Operations Center Summit & Training Washington, DCUS Jun 05, 2017 - Jun 12, 2017 Live Event SANS San Francisco Summer 2017 San Francisco, CAUS Jun 05, 2017 - Jun 10, 2017 Live Event SANS Houston 2017 Houston, TXUS Jun 05, 2017 - Jun 10, 2017 Live Event SANS Milan 2017 Milan, IT Jun 12, 2017 - Jun 17, 2017 Live Event SEC555: SIEM-Tactical Analytics San Diego, CAUS Jun 12, 2017 - Jun 17, 2017 Live Event SANS Rocky Mountain 2017 Denver, COUS Jun 12, 2017 - Jun 17, 2017 Live Event SANS Thailand 2017 Bangkok, TH Jun 12, 2017 - Jun 30, 2017 Live Event SANS Charlotte 2017 Charlotte, NCUS Jun 12, 2017 - Jun 17, 2017 Live Event SANS Secure Europe 2017 Amsterdam, NL Jun 12, 2017 - Jun 20, 2017 Live Event SANS Minneapolis 2017 Minneapolis, MNUS Jun 19, 2017 - Jun 24, 2017 Live Event SANS Philippines 2017 Manila, PH Jun 19, 2017 - Jun 24, 2017 Live Event DFIR Summit & Training 2017 Austin, TXUS Jun 22, 2017 - Jun 29, 2017 Live Event SANS Paris 2017 Paris, FR Jun 26, 2017 - Jul 01, 2017 Live Event SANS Columbia, MD 2017 Columbia, MDUS Jun 26, 2017 - Jul 01, 2017 Live Event SANS Cyber Defence Canberra 2017 Canberra, AU Jun 26, 2017 - Jul 08, 2017 Live Event SANS London July 2017 London, GB Jul 03, 2017 - Jul 08, 2017 Live Event Cyber Defence Japan 2017 Tokyo, JP Jul 05, 2017 - Jul 15, 2017 Live Event SANS Munich Summer 2017 Munich, DE Jul 10, 2017 - Jul 15, 2017 Live Event SANS Cyber Defence Singapore 2017 Singapore, SG Jul 10, 2017 - Jul 15, 2017 Live Event SANS ICS & Energy-Houston 2017 Houston, TXUS Jul 10, 2017 - Jul 15, 2017 Live Event SANS Los Angeles - Long Beach 2017 Long Beach, CAUS Jul 10, 2017 - Jul 15, 2017 Live Event SANSFIRE 2017 Washington, DCUS Jul 22, 2017 - Jul 29, 2017 Live Event Automotive Cybersecurity Summit OnlineMIUS May 01, 2017 - May 08, 2017 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced